春天的奥特2.道身份验证提供程序中未设置密码编码器

2022-09-03 05:56:10

我对Spring Oauth和Spring Security很陌生。我正在尝试在我的项目中使用client_credentials流。现在,我设法使用我自己的自定义详细信息服务,以便从系统中已经存在的数据库中获取client_id和密码(机密)。唯一的问题是我无法更改授权服务器使用的DaoAuthenticationProvider中的密码编码器 - 默认情况下将其设置为PlaintextPasswordEncoder。我无法以它的方式配置它,例如它将使用SHAPasswordEncoder。它始终使用纯文本编码器。我可能不太了解流程,因为我是春天的新手。

这是我的一些代码(DaoAuthenticationProvider的配置不起作用):

安全配置.java

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

private static final String RESOURCE_ID = "restservice";

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/register/**");

}

@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(daoAuthenticationProvider());
}

@Bean
public DaoAuthenticationProvider daoAuthenticationProvider() {
    DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
    daoAuthenticationProvider.setUserDetailsService(userDetailsService());
    daoAuthenticationProvider.setPasswordEncoder(passwordEncoder());
    return daoAuthenticationProvider;
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new ShaPasswordEncoder();
}

@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private MyCustomClientDetailsService myCustomClientDetailsService;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        endpoints.tokenStore(tokenStore());
    }

    @Bean
    public ResourceServerTokenServices defaultTokenServices() {
        final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setSupportRefreshToken(true);
        defaultTokenServices.setTokenStore(tokenStore());
        return defaultTokenServices;
    }

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.withClientDetails(myCustomClientDetailsService);
    }

    @Bean
    public MyCustomClientDetailsService detailsService() {
        return new MyCustomClientDetailsService();
    }
}

@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    ...
}
}

和自定义 ClientDetailsService 类:

public class MyCustomClientDetailsService implements ClientDetailsService {

@Autowired
private UserService userService;

@Override
public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException {

    User fan = userService.getFan(clientId);

    if (fan == null) {
        throw new NoSuchClientException("No client with requested id: " + clientId);
    } 

    BaseClientDetails details = new BaseClientDetails(clientId, restservice, "write", "client_credentials", "USER");

    details.setClientSecret(fan.getEncodedPassword()); 

    return details;
}
}

从我的UserService中获取的编码Password始终是一个糟糕的凭据,因为DaoAuthenticationProvider默认设置了PlaintextPasswordEncoder。

我在那里错过了什么?是否可以在 DaoAuthenticationProvider 中设置用于检查此处凭据的密码编码器?还是我必须编写自己的身份验证提供程序,以便按照我想要的方式检查它?


答案 1

我发现这个问题的解决方案是覆盖configureAuthorizationServerConfigurerAdapter

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
    oauthServer.passwordEncoder(passwordEncoder);
}

答案 2

如果您只想使用另一个 pass 编码器配置 spring 身份验证,请使用此配置。

<bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/>

 <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="authenticationService">
       <password-encoder ref ="encoder" /> 

          <!--   <user-service>
                <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN"/>
            </user-service> -->
        </authentication-provider>
    </authentication-manager>

注意:- 在创建用户期间,您需要使用相同的密码编码器类加密用户密码。


推荐